Small Business PCI Compliance: The Risks and Rewards of Security Through Change Management

Never judge a small business by its size - these mirco enterprises pack a wallop - the Small Business Administration estimates there are more than 28 million small businesses in operation today. And whether they intend to scale up over time or retain their diminutive stature, small businesses with the right mindset can wield the same power as their large competitors.

Small businesses, however, do have their struggles, namely with technological innovation. According to a Wasp Barcode 2015 small business report, more than 1 in every 5 small businesses consider "outdated technology/infrastructure" a leading obstacle to their operations. That's at least 5 million small businesses nationwide, and perhaps many more unwilling to admit their shortcomings.

Being a small business in the age of big data is no excuse for a lackluster IT operations, especially when it comes to change management and the development of a secure, responsive configuration. A lot can go wrong when small businesses don't take their IT service management seriously, as we'll demonstrate using a compliance issue nearly all modern enterprises contend with: PCI.

What is PCI Compliance?PCI DSS - or Payment Card Industry Data Security Standard - is a set of best practices established by major credit card companies to assist businesses handling transactions in protecting their customers' payment data. Although no government regulates PCI DSS, private credit card companies do. For the last decade, their goal has been to create and continually enhance a minimum framework for IT payment infrastructure that merchants and their financial institution can abide by.

How Can Non-Compliance Hurt Small Businesses?Obviously, noncompliant businesses make themselves vulnerable to payment fraud, but that's merely the cherry on the triple-scoop trouble sundae. Enterprise security breaches rightfully reduce consumer confidence in the brand as both a technological innovator and a curator of personal information. Would you continue purchasing products from a merchant who put you in jeopardy?

Not likely, and as cybersecurity moves to the forefront, modern consumers have begun developing their own opinions for what constitutes security - less than one-third of consumers polled by J.D. Power believe their payment information shared with vendors really is secure.

Noncompliant businesses are also subject to penalties, legal fees should businesses go to trial, out-of-court settlements if they don't and possible revocation of credit card processing abilities, which could significantly impact sales. Since small businesses typically have equally small treasuries, chances are they wouldn't be able to recover from the kinds of financial hits PCI noncompliance could lead to.

How Does Change Management Combat or Even Preempt These Dangers?If you imagine the configuration as a brick wall defending a treasure of sensitive data, change management concerns itself with the deconstruction and reconstruction of that wall to strengthen its protective power. Without an intuitive, clear-cut solution assisting in that endeavor, IT freemasons may accidentally leave holes through which information may leak or hackers may infiltrate.

Automating parts of the ITSM change management process is one way to ensure a consummate seal. When coders can bounce proposed changes off of a CMDB, for instance, they can determine whether the change will create gaps in security elsewhere before they're deployed. Given the financial consequences noncompliance could herald, small businesses do not have the luxury to learn from their mistakes. Better to prevent them from ever happening.

Transparency also matters, especially when compliance is at stake. Not only does greater visibility into change management act as insurance against human error and a trail of breadcrumbs should configuration problems occur, but documenting compliance for regulators proves businesses took the necessary steps to enact best practices or shows everyone involved exactly where improvements need to be made. Either way, the business wins out in the end.